NSA to bug Huawei firmware to spy on potential targets

Huawei Technologies' volatile relationship with the U.S. government has taken an interesting twist. Two years ago, Huawei turned its focus to growing its European customer base after being hampered by security concerns in the United States (see Huawei focuses on EU after U.S. congressional grilling). This time, rather than being accused as a spy for the Chinese government yet again, Huawei is reportedly the target of hacking by the National Security Agency (NSA).

During the course of a project code-named "Shotgiant," the NSA penetrated the corporate networks of Huawei so completely that U.S. officials were able to read email from the company's CEO, download sensitive documents on more than 1,400 large Huawei customers, as well as technical data on current products and those still in development, according to documents released by former NSA contractor Edward Snowden to Der Spiegel and The New York Times.

"We currently have good access and so much data that we don't know what to do with it," according to one NSA report from 2010 quoted in Der Spiegel.

Rather than stop at simply collecting more information than it could process, however, a NSA special-operations unit bored into the company's technical data, eventually compromising servers holding source code for the firmware that runs the routers and switches Huawei builds for large corporations and telecommunications companies.

The goal was to build secret backdoors or security flaws into the source code, which Huawei would then build into its own products and distribute to a customer base so large that Huawei boasts that its products connect a third of the world's population.

"Many of our targets communicate over Huawei-produced products," according to one of those reports. "We want to make sure that we know how to exploit these products," in order to "gain access to networks of interest," according to the document.

An ongoing operation

Rather than being an anomaly, the plan to bug Huawei firmware fit neatly into an apparently ongoing NSA effort to magnify the impact of its efforts by installing bugs and backdoors into the firmware of commercial technology products to be distributed by oblivious technology vendors and sold to potential targets with no indication the NSA had ever been involved. Previously released documents report similar efforts to compromise products from Western Digital, Seagate, Maxtor, Samsung, and other, mostly U.S.-based companies.

The NSA unit involved—the Office of Tailored Access Operations (TAO), which is based in Ft. Meade, Md.—is a cadre of encryption and penetration specialists who can be called into action like a special-forces strike team to penetrate high-value targets with unusually tough security, according to Der Spiegel. A TAO sub-group known as ANT builds circuit boards disguised as USB devices or other, more subtle camouflage, which can be implanted in targeted servers and secretly broadcast everything they do to nearby NSA relay stations.

ANT has also developed bits of malware collectively referred to as "Persistence" that is designed to penetrate and install its payload in the BIOS of PCs, servers, and the firmware of routers or other networking equipment. Once installed, the payloads become part of the core operating code of the device in which they're implanted, and are reinstalled on motherboards or hard drives even after previous versions of the firmware and operating systems have been wiped and replaced, according to Der Spiegel, which got a look at the TAO catalogue of attack devices courtesy of Snowden.

Specifics remain elusive

There is no information available on the specific techniques the NSA used to attack either the Huawei servers or source code. The catalogue and many other reports released by Snowden were from the same period as the NSA's attacks on Huawei, making it likely the exploits and tactics used were similar to those in the Snowden documents.